Feature #962
closedCan I log the mac address of the source?
Description
Knowing the mac address can help us about knowing the attacker. So can suricata log the mac address? Like the -e option in snort? Thanks for help.
Updated by Victor Julien over 10 years ago
We don't have a similar option. How are the mac addresses logged with -e in Snort?
Updated by Song Liu over 10 years ago
In NFQ mode, we don't have MAC address, because it is layer 3.
Updated by Andreas Herz about 8 years ago
That's a feature request. Did anyone already looked into that? I did just test it with snort in sniffer mode (-vCd -i $DEVICE -e) which we don't have exactly, but could be useful in normal IDS mode as well.
Updated by Andreas Herz about 8 years ago
- Tracker changed from Support to Feature
- Assignee set to OISF Dev
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Eric Leblond
- Target version changed from TBD to 70
Updated by Victor Julien over 6 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien about 6 years ago
At the team meeting in Amsterdam 2018 we agreed on the following:
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)
Alerts will log based on packet, but can add mac addrs from flow too.
Updated by Raymond Hansen over 5 years ago
- Assignee changed from Eric Leblond to Sascha Steinbiss
Updated by Victor Julien almost 5 years ago
- Related to Bug #1711: eve: Ethernet Header Missing From Packet Field added
Updated by Sascha Steinbiss about 4 years ago
Just taking a look at this atm.
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)Alerts will log based on packet, but can add mac addrs from flow too.
I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?
Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?
Thanks!
Updated by Sascha Steinbiss about 4 years ago
Sascha Steinbiss wrote in #note-11:
Just taking a look at this atm.
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)Alerts will log based on packet, but can add mac addrs from flow too.
I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at
p->flowinCreateJSONHeaderand see if the*pktcntvalues there indicate >1 packet?Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code?
FlowHandlePacketUpdate?
I think I've at least found a starting point: https://github.com/satta/suricata/commit/ac09ed3d3b85c76c0bb38795efcb0ab11466f67b
Updated by Victor Julien over 3 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 6.0.0beta1